The Salesforce sharing model

Posted on by zeusexam

The Salesforce sharing model

Once you have selected which objects and fields a user can have CRUD access too, you need to know how to control record-level access. We can do this using Salesforce’s sharing settings.

OWD sharing

To define the Organization-Wide Defaults sharing settings, go to Setup | Security | Sharing Settings:

A selection of standard objects and all custom objects can be set in this page.

This OWD page is meant for setting the most restrictive access to a given object. This means that, from now on, you can ask an administrator to only grant additional access and not restrict it.

By default, Salesforce uses role hierarchies to grant access to records to the users that belong to roles above a given user hierarchy. This means that if a user owns a record (whose object is set as Private in the OWD, so it should be only visible to its owner), using hierarchies, the manager user who is above that role can access the record as well.

You can disable hierarchy access by unflagging the Grant Access Using Hierarchies flag for custom objects only. Role hierarchy will no longer be enforced, but users with View All, Modify All, View All Data, and Modify All Data access will still be able to access that record.

If you change an object’s OWD to a wider value (for example, from Private to Public Read-Only) the visibility is updated instantly: users who weren’t able to access the records will immediately be allowed to do so.

If you restrict access (for example, from Public Read/Write to Private), Salesforce will start a recalculation that could take hours to complete, depending on the size of the dataset.

Be smart when planning your OWD changes. Once the calculation has been completed, you’ll receive a confirmation system email.

The OWD settings have the following values (a selection object has specific values that differ from this list):

  • Controlled by Parent: If a record is a child of another kind of record (for example, a contact is parented to an account), you can give this record the same access level as its parent. If a user can edit an account, then they’re allowed to edit its children contacts as well. When a custom object is a master-detail child of a standard object, the only available value is Controlled by Parent and it is not editable.
  • Private: Only the record’s owner and users above their role hierarchy can view, edit, and report on the record.
  • Public Read Only: The record is viewable and reportable by any user, but it can only be edited by its owner and users above the owner’s hierarchy.
  • Public Read/Write: The record is viewable and editable by any user in your organization. Only the owner can delete or manually share the record.
  • Public Read/Write/Transfer: Available only on cases and leads, the transfer operation allows a record to be transferred of ownership, but only the owner can delete or manually share it.
  • Public Full Access: Available only on campaigns, this allows all users to read, edit, and delete a campaign, regardless of whether they are the owner or not.

A user object has the following two available values:

  • Private: A record is accessible by the owner (that is, the same user) and by the users on the hierarchy above it.
  • Public Read-Only: The record is accessible by any user in the organization.

In order to improve recalculation performance, you can enable External Organization-Wide Defaults and change the way records are shared with external users (such as customer community users).

Some types of external users are as follows:

  • Authenticated website users
  • Chatter external users
  • Community users
  • Customer portal users
  • Guest users
  • High-volume portal users
  • Partner portal users
  • Service cloud portal users

It’s good practice to set the Default External Access to Private and then extend accessibility using, for example, sharing rules or sharing sets for the external users only.

External access can be set for the following objects:

  • Account
  • Asset
  • Case
  • Contact
  • Individual
  • Opportunity
  • Order
  • User
  • Custom objects

Remember that the external access level cannot be more permissive than the corresponding internal access level.

To enable external OWD defaults, click on the Enable External Sharing Model button on the Setup | Security | Sharing Settings page. All external default values are matched with the internal settings.

If you want to disable this setting, revert all the external values so that they match the internal ones.

Leave a Reply

Your email address will not be published. Required fields are marked *